Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why do these seemingly identical searches return d...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CarbonCriterium
Path Finder
08-18-2020
02:17 PM
I have four versions of a nearly identical search. The last one returns a completely different result. What is it about the interaction of the "sort" and "head" commands that changes the outcome?
...| stats sum(eval(sc_bytes/1073741824)) AS Gigabytes by cs_uri_stem | sort -sc_bytes
...| stats sum(eval(sc_bytes/1073741824)) AS Gigabytes by cs_uri_stem | sort -Gigabytes
...| stats sum(eval(sc_bytes/1073741824)) AS Gigabytes by cs_uri_stem | sort -Gigabytes | head 100
...| stats sum(eval(sc_bytes/1073741824)) as Gigabytes by cs_uri_stem | sort -sc_bytes | head 100
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nisha18789
Builder
08-19-2020
07:15 AM
hi @CarbonCriterium , can you try this once and see it that helps
..| stats sum(sc_bytes) as bytes by cs_uri_stem | eval Gigabytes=bytes/1073741824|sort - Gigabytes | head 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nisha18789
Builder
08-19-2020
03:32 AM
Hi @CarbonCriterium , in the last query
..| stats sum(eval(sc_bytes/1073741824)) as Gigabytes by cs_uri_stem | sort -sc_bytes | head 100
below sort will do nothing as the field used for sorting does not exist in the result
...| sort -sc_bytes
and below is taking 100 results (after the stats command) from the top
....| head 100
Are you seeing any different behavior?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CarbonCriterium
Path Finder
08-19-2020
06:36 AM
The head command appears to work correctly, but the results do not match up. In the attached screenshot the values that have the greatest value in GB do not have the greatest value in Bytes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nisha18789
Builder
08-19-2020
07:15 AM
hi @CarbonCriterium , can you try this once and see it that helps
..| stats sum(sc_bytes) as bytes by cs_uri_stem | eval Gigabytes=bytes/1073741824|sort - Gigabytes | head 100
Get Updates on the Splunk Community!
.conf25 Registration is OPEN!
Ready. Set. Splunk!
Your favorite Splunk user event is back and better than ever. Get ready for more technical ...
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
